[yocto] [meta-security][PATCH 2/2] smack kernel: add smack kernel config fragments
Khem Raj
raj.khem at gmail.com
Thu Oct 27 19:32:02 PDT 2016
> On Oct 27, 2016, at 12:22 AM, Patrick Ohly <patrick.ohly at intel.com> wrote:
>
> On Wed, 2016-10-26 at 08:00 -0700, Armin Kuster wrote:
>> Signed-off-by: Armin Kuster <akuster808 at gmail.com>
>> ---
>> recipes-kernel/linux/linux-yocto-4.8/smack-default-lsm.cfg | 2 ++
>> recipes-kernel/linux/linux-yocto-4.8/smack.cfg | 8 ++++++++
>> recipes-kernel/linux/linux-yocto_4.8.bbappend | 5 +++++
>> 3 files changed, 15 insertions(+)
>> create mode 100644 recipes-kernel/linux/linux-yocto-4.8/smack-default-lsm.cfg
>> create mode 100644 recipes-kernel/linux/linux-yocto-4.8/smack.cfg
>>
>> diff --git a/recipes-kernel/linux/linux-yocto-4.8/smack-default-lsm.cfg b/recipes-kernel/linux/linux-yocto-4.8/smack-default-lsm.cfg
>> new file mode 100644
>> index 0000000..b5c4845
>> --- /dev/null
>> +++ b/recipes-kernel/linux/linux-yocto-4.8/smack-default-lsm.cfg
>> @@ -0,0 +1,2 @@
>> +CONFIG_DEFAULT_SECURITY="smack"
>> +CONFIG_DEFAULT_SECURITY_SMACK=y
>> diff --git a/recipes-kernel/linux/linux-yocto-4.8/smack.cfg b/recipes-kernel/linux/linux-yocto-4.8/smack.cfg
>> new file mode 100644
>> index 0000000..62f465a
>> --- /dev/null
>> +++ b/recipes-kernel/linux/linux-yocto-4.8/smack.cfg
>> @@ -0,0 +1,8 @@
>> +CONFIG_IP_NF_SECURITY=m
>> +CONFIG_IP6_NF_SECURITY=m
>> +CONFIG_EXT2_FS_SECURITY=y
>> +CONFIG_EXT3_FS_SECURITY=y
>> +CONFIG_EXT4_FS_SECURITY=y
>> +CONFIG_SECURITY=y
>> +CONFIG_SECURITY_SMACK=y
>> +CONFIG_TMPFS_XATTR=y
>
> Were these two files perhaps copied from
> https://github.com/01org/meta-intel-iot-security/tree/master/meta-security-smack/recipes-kernel/linux/linux ?
>
> Just wondering, they look, hmm, very familiar ;-)
>
> Can you say a bit more about your plans regarding Smack support in
> meta-security? A recipe for the userspace tool and the kernel config is
> a start, but for a fully functional Smack-enabled image, the rootfs also
> needs to be set up a bit differently.
FWIW meta-security seems to be right place for smack related infra.
>
> I can imagine that it would be worthwhile to take more of the things
> done in meta-intel-iot-security and then deprecate that layer.
>
> --
> Best Regards, Patrick Ohly
>
> The content of this message is my personal opinion only and although
> I am an employee of Intel, the statements I make here in no way
> represent Intel's position on the issue, nor am I authorized to speak
> on behalf of Intel on this matter.
>
>
>
> --
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20161027/78aaabb6/attachment.pgp>
More information about the yocto
mailing list